feat(homelab): move traefik to rufus node, add rfc1918 middlewares

nix/homelab/helm/values/minecraft/main.yaml

@@ -70,48 +70,48 @@ extraVolumes:
           server: 192.168.27.2
           path: /backup/minecraft
 
-initContainers:
+# initContainers:
-  - name: world-restore
+#   - name: world-restore
-    image: busybox:latest
+#     image: busybox:latest
-    command:
+#     command:
-      - sh
+#       - sh
-      - -c
+#       - -c
-      - |
+#       - |
-        set -e
+#         set -e
-
+#
-        echo "=== Minecraft World Restore ==="
+#         echo "=== Minecraft World Restore ==="
-
+#
-        BACKUP_FILE="/backups/latest.tgz"
+#         BACKUP_FILE="/backups/latest.tgz"
-
+#
-        # Check if backup exists
+#         # Check if backup exists
-        if [[ ! -f "$BACKUP_FILE" ]]; then
+#         if [[ ! -f "$BACKUP_FILE" ]]; then
-          echo "Skipping restore, server will start with existing/new world"
+#           echo "Skipping restore, server will start with existing/new world"
-          exit 0
+#           exit 0
-        fi
+#         fi
-
+#
-        echo "✓ Backup found: $BACKUP_FILE"
+#         echo "✓ Backup found: $BACKUP_FILE"
-        echo "  Size: $(du -h $BACKUP_FILE | cut -f1)"
+#         echo "  Size: $(du -h $BACKUP_FILE | cut -f1)"
-
+#
-        # Check if world already exists
+#         # Check if world already exists
-        if [ -f /data/world/level.dat ]; then
+#         if [ -f /data/world/level.dat ]; then
-          echo "⚠ World already exists at /data/world/"
+#           echo "⚠ World already exists at /data/world/"
-          echo "  Replacing with backup..."
+#           echo "  Replacing with backup..."
-          rm -rf /data/world /data/world_nether /data/world_the_end
+#           rm -rf /data/world /data/world_nether /data/world_the_end
-        fi
+#         fi
-
+#
-        # Extract backup
+#         # Extract backup
-        echo "Extracting backup to /data/..."
+#         echo "Extracting backup to /data/..."
-        tar -xzf "$BACKUP_FILE" -C /data/
+#         tar -xzf "$BACKUP_FILE" -C /data/
-        echo "✓ Extraction complete"
+#         echo "✓ Extraction complete"
-
+#
-        echo ""
+#         echo ""
-        echo "=== Restore Complete ==="
+#         echo "=== Restore Complete ==="
-        echo "Restored world size: $(du -sh /data/world 2>/dev/null | cut -f1 || echo 'unknown')"
+#         echo "Restored world size: $(du -sh /data/world 2>/dev/null | cut -f1 || echo 'unknown')"
-        ls -lh /data/ | grep -E "^d" || true
+#         ls -lh /data/ | grep -E "^d" || true
-        echo ""
+#         echo ""
-    volumeMounts:
+#     volumeMounts:
-      - name: datadir
+#       - name: datadir
-        mountPath: /data
+#         mountPath: /data
-      - name: backup-volume
+#       - name: backup-volume
-        mountPath: /backup
+#         mountPath: /backup
-        readOnly: true
+#         readOnly: true

nix/homelab/kustomize/kustomization.yaml

@@ -4,6 +4,8 @@ kind: Kustomization
 resources:
   - ./metallb/pool.yaml
   - ./traefik/config.yaml
+  - ./traefik/rfc1918-middleware.yaml
+  - ./traefik/chain.yaml
   - ./cert-manager/config.yaml
   - ./routes/media.yaml
   - ./routes/minecraft.yaml

nix/homelab/kustomize/metallb/pool.yaml

@@ -8,6 +8,16 @@ spec:
     - 192.168.18.31-192.168.18.61
 ---
 apiVersion: metallb.io/v1beta1
+kind: IPAddressPool
+metadata:
+  name: rufus-pool
+  namespace: metallb-system
+spec:
+  addresses:
+    - 192.168.27.10-192.168.27.30
+  autoAssign: false
+---
+apiVersion: metallb.io/v1beta1
 kind: L2Advertisement
 metadata:
   name: pool
@@ -15,3 +25,15 @@ metadata:
 spec:
   ipAddressPools:
     - pool
+---
+apiVersion: metallb.io/v1beta1
+kind: L2Advertisement
+metadata:
+  name: rufus-advertisement
+  namespace: metallb-system
+spec:
+  ipAddressPools:
+    - rufus-pool
+  nodeSelectors:
+    - matchLabels:
+        kubernetes.io/hostname: rufus

nix/homelab/kustomize/routes/home-assistant.yaml

@@ -13,3 +13,9 @@ spec:
     - backendRefs:
         - name: home-assistant
           port: 8080
+      filters:
+        - type: ExtensionRef
+          extensionRef:
+            group: traefik.io
+            kind: Middleware
+            name: rfc1918-chain

nix/homelab/kustomize/routes/longhorn.yaml

@@ -13,3 +13,9 @@ spec:
     - backendRefs:
         - name: longhorn-frontend
           port: 80
+      filters:
+        - type: ExtensionRef
+          extensionRef:
+            group: traefik.io
+            kind: Middleware
+            name: rfc1918-chain

nix/homelab/kustomize/routes/media.yaml

@@ -13,3 +13,9 @@ spec:
     - backendRefs:
         - name: jellyfin
           port: 8096
+      filters:
+        - type: ExtensionRef
+          extensionRef:
+            group: traefik.io
+            kind: Middleware
+            name: rfc1918-chain

nix/homelab/kustomize/traefik/chain.yaml

@@ -0,0 +1,32 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: rfc1918-chain
+  namespace: home
+spec:
+  chain:
+    middlewares:
+      - name: rfc1918-only
+        namespace: default
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: rfc1918-chain
+  namespace: longhorn-system
+spec:
+  chain:
+    middlewares:
+      - name: rfc1918-only
+        namespace: default
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: rfc1918-chain
+  namespace: media
+spec:
+  chain:
+    middlewares:
+      - name: rfc1918-only
+        namespace: default

nix/homelab/kustomize/traefik/config.yaml

@@ -5,6 +5,13 @@ metadata:
   namespace: kube-system
 spec:
   valuesContent: |-
+    nodeSelector:
+      kubernetes.io/hostname: rufus
+
+    service:
+      annotations:
+        metallb.universe.tf/address-pool: rufus-pool
+
     ports:
       web:
         port: 80
@@ -52,6 +59,8 @@ spec:
          enabled: false
       kubernetesGateway:
          enabled: true
+      kubernetesCRD:
+        allowCrossNamespace: true
     gateway:
       listeners:
         web:

nix/homelab/kustomize/traefik/rfc1918-middleware.yaml

@@ -0,0 +1,11 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: rfc1918-only
+  namespace: default
+spec:
+  ipAllowList:
+    sourceRange:
+      - "10.0.0.0/8"
+      - "172.16.0.0/12"
+      - "192.168.0.0/16"

nix/modules/dns.nix

@@ -18,12 +18,11 @@
       dns = "systemd-resolved";
     };
     networking.extraHosts = ''
-      192.168.18.31 traefik.lucalise.ca 
+      192.168.27.10 traefik.lucalise.ca 
-      192.168.18.31 media.lucalise.ca 
+      192.168.27.10 media.lucalise.ca 
-      192.168.18.31 git.lucalise.ca 
+      192.168.27.10 git.lucalise.ca 
-      192.168.18.31 storage.lucalise.ca 
+      192.168.27.10 storage.lucalise.ca 
-      192.168.18.31 home-assistant.lucalise.ca 
+      192.168.27.10 home-assistant.lucalise.ca 
-      192.168.18.31 mc-rocket.duckdns.org 
     '';
 
     services.resolved = {

nodes/kube/hardware-configuration.nix

@@ -1,18 +0,0 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
-{
-  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
-    ];
-
-  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "usb_storage" "sd_mod" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-amd" ];
-  boot.extraModulePackages = [ ];
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
-}